First, give us a picture of the situation. What cyber attacks are affecting businesses right now?
For the last 18 months, we have intervened for about 125 major events in Quebec and Canada. A large percentage of this is cyberextortion, so using ransomware that ultimately had a ransom note.
Recently, the initial source of compromise was the infamous flaw in Microsoft Exchange servers, which is the ancestor of Office 365, the infamous email server that was installed in 98% of companies. Back then, everyone had Exchange servers and there are still leftovers, there are still companies that have Exchange servers in production.
In the past three or four months, two-thirds of ransomware or cyberextortion attacks have been carried out through this loophole, which has been in the code for a long time, but was discovered and democratized this year. Just a little before, there were loopholes in the firewalls. It is a mixed, often, it is a context, it is not always a flaw that is exploited, a single weakness. It is often an accumulation of weaknesses that will lead to the success of an attack.
You speak of a “democratized” flaw. So from the moment it was made public, it resulted in a second wave of hackers who discovered it and appropriated the tools to exploit it?
Exactly. Among cybercriminals, there are various groups of actors. There are some who will specialize in compromising assets and installing a backdoor. It’s like a reverse VPN, software installed on the machine that contacts the attacker’s server, or even shows up on the internet saying, “Here is an open door. Often, attackers will set up a backdoor and then sell that access back to other groups who will exploit it.
So there is a specialization of tasks among cybercriminals?
Yes, we can say that. There are different groups of actors. There are some who will even develop tools, services, “ransomware as a service”, who will hire you or take a commission from you on the tools you use. It’s a tool, a web platform too. When you ask for a ransom, you leave a link, you have someone logging in, you are going to go to a beautiful portal with a chat room. If you want to be successful in the world of cybercrime, it is not enough to have the skills and certain tools. When you want to monetize an attack or a data theft, it’s a little more complex. When you start from zero when you have cashed in, it can be relatively complex if you are poorly equipped. This is why there are now groups that will specialize in setting up services, tool boxes. You will have everything you need to commit your crime extremely smoothly.
Do you ever come across companies that have already been compromised, but where the attack did not go far?
Yes, it happens a lot. In more than 50% of cases, or even 60%, we discover that the company has already been the victim of an intrusion or a cyberattack. Some were damaging, but it was limited. Sometimes the company did not say it or it was forgotten. Sometimes it didn’t show up either. Why ? We see that there has been an intrusion, the intruder has taken control of certain machines or installed encryption software, may have stolen data, but we do not know. What explains this? It can be an attack that is relatively automated, and the first steps failed and the attacker did not continue manually. Maybe the attacker hit his nose, he was not experienced enough, not enough tools, that he simply gave up. It can simply be a lack of time, a lack of interest.
How can we protect ourselves, obviously considering that zero risk does not exist?
There are classics. Multi-factor authentication, on all remote access and cloud services.
You also need good antiviral protection. There is a lot of talk about Endpoint Detection and Response (EDR) protection. These are next generation antivirus, high quality solution, device and server protection, that’s super important. We are no longer talking about conventional antiviruses.
The key is to have a backup copy that is not connected to the network. The attacker must not be able to touch these backups.
Are you optimistic about the future?
Yes, honestly, in the last couple of years there has really been a dramatic improvement. There is still a lot to do in some companies. But I think there are less and less easy prey, basically. Most attacks are opportunistic, rarely targeted, proactively. Cybercriminals aim to make easy money. If you are at all in the easy prey category, they will surely go elsewhere.
What hurts us right now are sudden critical flaws, like Exchange, and there are going to be more. But the forces are pretty much equal. You have to be careful, the attackers will adjust. There is too much money to be made for them to give up. They will roll up their sleeves to continue their feast.
For readability and brevity, this interview has been edited.
In numbers
US $ 18 billion
Estimated minimum total of ransoms paid around the world in 2020, with the maximum total estimated at US $ 74 billion, for 506,185 demands. (Source: 2021 report, EMSISoft)
4000
Estimated number of ransomware attacks in 2020 in Canada. Total ransom demands are estimated to be between $ 202 million and $ 703 million. (Source: 2021 report, EMSISoft)
5 to 10%
Estimates of cybercrimes and frauds that are reported to police in Canada. (Source: GRC)
35%
Percentage of computer attacks worldwide in 2020 that exploit a vulnerability, such as Microsoft Exchange. For the first time that year, this category surpassed that of phishing. (Source: X-Force Threat Intelligence Index 2021, IBM)
US $ 123 million
Estimated gains in 2020 for the most active ransomware, Sodinokibi, which alone accounts for 22% of reported events worldwide. (Source: X-Force Threat Intelligence Index 2021, IBM)
Four observations
Organized crime
It’s hard to believe that classic organized crime, from mafias to criminal motorcycle gangs to the triads, is not lured by a multi-billionaire activity. “It is clear that certain groups invest in cybercrime, estimates Guillaume Clément, partner at KPMG. Two worlds meet: we have professional cybercriminals, who have emerged in this form, and the more generalist, classic criminal, who is interested or has invested. It should also be noted that when one commits a cybercrime, it is much less risky to get caught than in the cases of other more physical crimes. ”
Ransoms
Should a company whose data has been stolen and encrypted pay the ransom demanded? One-third or even two-thirds of them would, according to various estimates. “Often, when we advise organizations, we tell them right off the bat that we don’t pay ransom,” explains Mr. Clément. After that, on the other hand, once you’ve put morality aside, you make a business decision by analyzing the time it will take to come back alive, the efforts and the costs to bring back the lost data … ”
Credibility
Against all odds, the hackers who encrypted and stole your data will usually keep their word once the ransom has been cashed. This is an observation that we make without false shame at KPMG. “It’s very complex decision-making, but yes, they are speaking, relatively. The basic problem is that we created a monster. Cybercriminals developed a business model because they were able to have volume. If no one paid the ransom anymore, which insurers no longer covered, their business model would explode. They had better be of their word. ”
Phishing
What about the good old phishing in all of this? Far from having disappeared, since it would represent roughly 31% of attacks in the world, it would however have become more difficult. “Antivirus is better, device protection is better,” said the cybersecurity expert. Sending a corrupted Word or Excel file, which is malicious, which takes control of your workstation without being blocked, is increasingly difficult. It was easy a few years ago, a few more months. So they are moving towards something else. But it will come back, these are cycles. ”